U.S. Department of the Interior 
PRIVACY IMPACT ASSESSMENT 





Introduction 


The Department of the Interior requires PIAs to be conducted and maintained on all IT systems 
whether already in existence, in development or undergoing modification in order to adequately 
evaluate privacy risks, ensure the protection of privacy information, and consider privacy 
implications throughout the information system development life cycle. This PIA form may not 
be modified and must be completed electronically; hand-written submissions will not be 
accepted. See the DOI PIA Guide for additional guidance on conducting a PIA or meeting the 
requirements of the E-Government Act of 2002. See Section 6.0 of the DOI PIA Guide for 
specific guidance on answering the questions in this form. 


NOTE: See Section 7.0 of the DOI PIA Guide for guidance on using the DOI Adapted PIA 
template to assess third-party websites or applications. 


Name of Project: Enterprise Human Resources Integration (EHRI) General Support System 
(GSS) Decommission PIA 

Bureau/Office: Office of the Chief Information Officer 

Date: 2/15/2018 

Point of Contact 

Name: Teri Barnett 

Title: Departmental Privacy Officer 

Email: DOL Privacy@ios.doi.gov 

Phone: (202) 208-1605 

Address: 1849 C Street NW, Room 7112, Washington, DC 20240 


Section 1. General System Information 


A. Isa full PIA required? 
Yes, information is collected from or maintained on 
O Members of the general public 
Federal personnel and/or Federal contractors 
O Volunteers 
O All 


O No: Information is NOT collected, maintained, or used that is identifiable to the 
individual in this system. Only sections 1 and 5 of this form are required to be 
completed. 
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B. What is the purpose of the system? 


The Enterprise Human Resources Integration (EHRT) General Support System (GSS) is a 
general support system hosted at a Department of the Interior (DOI) data center. 


The EHRI GSS provided network and communication support to the Office of Personnel 
Management (OPM) hosted applications, including the Enterprise Human Resources 
Integration Data Warehouse (EHRI DW) and its related minor applications, and the 
Electronic Official Personnel Folder (eOPF) application and its related two minor 
applications. The EHRI DW and eOPF support human resources management functions 
across the Federal Government. The EHRI DW is a data warehouse and repository for all 
executive branch employee data. The eOPF is an electronic system containing Federal 
employees’ Official Personnel File, which may be accessed by Federal employees and 
human resources staff via the OPM website, and is also used by Federal agencies for the 
purpose of supporting the investigation process and saving agency resources. 


OPM has migrated its systems and data hosted in the EHRI to an OPM-managed 
environment in Macon, Georgia, which is solely operated under OPM management. As a 
result of the successful migration of the EHRI GSS systems, data, and documentation to 
the new OPM environment and data center, the legacy DOI EHRI hosting infrastructure 
(servers, storage, and network devices) is no longer needed and is being decommissioned. 


Software: 


The OPM application software is outside the scope of this assessment as it is under the 
control of OPM and has been migrated to a new OPM hosted infrastructure. The EHRI 
OPM systems were successfully migrated to the OPM-managed and FISMA certified 
environment in 2017. 


Hardware: 


The DOI servers (in racks) have been moved to the tape library room and are being 
decommissioned based on direction from the EHRI System Owner. Excessing will 
follow DOI policy and procedures. 


Servers identified in the “OPM eOPF and EHRI DW Equipment Inventory - Legacy 
Equipment for Decommissioning” spreadsheet have been decommissioned. Server hard 
drives will remain within the DOI Data Center organizational control until destroyed on 
site. The Data Center Manager has property custody of the servers until custody is 
transferred to a property officer within DOI’s Office of Facilities and Services (OFAS), 
Property Management Office. 


SAN (Storage Area Network) Storage in the DOI data centers will be professionally 
disposed of in accordance with National Institute of Standards and Technology (NIST) 
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standards. Storage devices will be excessed and the drives will be shredded in 
accordance with DOI policy or will receive sanitization, verification, and certification 
services. 


All tapes will remain within the DOI Data Center’s organizational control and will be 
shredded based on DOI policies and procedures. OPM has not provided any 
requirements for decommissioning and excessing of remaining equipment. 


Documentation: 


The EHRI DW and eOPF applications and data belong to OPM. The OPM applications, 
data and all documentation were migrated to an OPM managed facility in July 2017. 


. What is the legal authority? 


The Chief Financial Officers Act (CFOs Act) of 1990, P.L. 101-576; the Federal 
Managers’ Financial Integrity Act of 1982, P.L. 97-255 (31 U.S.C. 3512 et seq.); 31 
U.S.C. Chapter 11, the Budget and Fiscal, Budget, and Program Information; the Office 
of Management and Budget Circular A-127, Policies and Standards for Financial 
Management Systems. 


. Why is this PIA being completed or modified? 


O New Information System 

O New Electronic Collection 

O Existing Information System under Periodic Review 
O Merging of Systems 

O Significantly Modified Information System 

O Conversion from Paper to Electronic Records 
Retiring or Decommissioning a System 

O Other: Describe 


. Is this information system registered in CSAM? 

The completed PIA, associated system of records notice(s), and any other supporting 
artifacts must be entered into the CSAM system for each registered system or application. 
Yes: Enter the UII Code and the System Security Plan (SSP) Name 

UII Code: 010-00-01-07-02-1219-00; EHRI GSS SSP of September 7, 2016. 


O No 





Enterprise Human Resources Integration (EHRI) Decommission 


Privacy Impact Assessment 


. List all minor applications or subsystems that are hosted on this system and covered 
under this privacy impact assessment. 





Subsystem Name 


Purpose 


Contains PII 
(Yes/No) 


Describe 
If Yes, provide a 
description. 





EHRI DataWarehouse 
(DW) 


The EHRI Data 
Warehouse 

system is a major 
application owned by 
OPM that stores 
employee records for 
Federal employees and 
contains sub- 
applications 

such as Central 
Employee Record 
(CER) and Business 
Intelligence Reporting 
(BI), Statistical 
Datamart (SDM) and 
Records System 
Modernization (RSM) 
applications. 


Yes 


Stores PII in the form 
of employee records. 
OPM completed a 
PIA for this system. 








Electronic Official 
Personnel 
Folder (eOPF) 





The eOPF major 
application allows 
Federal government 
employees to access 
their official personnel 
folders online. The 
eOPF has the minor 
applications Electronic 
Data Management 
System (EDMS) and 
ePerformance. 





Federal employee 
official personnel 
records. OPM 
completed a PIA for 
this system. 








DOI’s legacy EHRI infrastructure has been decommissioned. The OPM application 
software and data were migrated to an OPM managed site. As a result, PII is no longer 
being collected or hosted in this legacy environment. 
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G. Does this information system or electronic collection require a published Privacy 
Act System of Records Notice (SORN)? 


O Yes: List Privacy Act SORN Identifier(s) 
No 


H. Does this information system or electronic collection require an OMB Control 
Number? 


O Yes: Describe 
No 


Section 2. Summary of System Data 
A. What PII will be collected? Indicate all that apply. 
Other: Specify the PII collected. 


The DOI legacy EHRI infrastructure has been decommissioned. The OPM application 
software and data were migrated to an OPM managed site. As a result, PII is no longer 
being collected or hosted in this legacy environment. 


B. What is the source for the PII collected? Indicate all that apply. 


O Individual 

O Federal agency 

O Tribal agency 

O Local agency 

O DOI records 

O Third party source 
O State agency 
Other: Describe 


The DOI legacy EHRI infrastructure has been decommissioned. The OPM application 
software and data were migrated to an OPM managed site. As a result, PII is no longer 
being collected or hosted in this legacy environment. 


C. How will the information be collected? Indicate all that apply. 


O Paper Format 

O Email 

O Face-to-Face Contact 
O Web site 
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O Fax 

O Telephone Interview 

O Information Shared Between Systems 
Other: Describe 


The DOI legacy EHRI infrastructure has been decommissioned. Information is not being 
collected. The OPM application software and data were migrated to an OPM managed 
site. As a result, PII is no longer being collected or hosted in this legacy environment. 


. What is the intended use of the PII collected? 

DOI’s legacy EHRI infrastructure is decommissioned, the data, system and software are 
migrated to OPM managed site. PII is no longer hosted in the EHRI. Please see the 
OPM privacy impact assessments for the applications owned and managed by OPM for 


information on how data is collected and used by OPM. 


. With whom will the PII be shared, both within DOI and outside DOI? Indicate all 
that apply. 


O Within the Bureau/Office: Describe the bureau/office and how the data will be used. 
O Other Bureaus/Offices: Describe the bureau/office and how the data will be used. 
Other Federal Agencies: Describe the federal agency and how the data will be used. 
The DOI legacy EHRI infrastructure has been decommissioned. The OPM application 
software and data were migrated to an OPM managed site. As a result, PII is no longer 
being hosted in this legacy environment. Individuals may view OPM privacy impact 
assessments for the OPM-owned and managed applications and related system of records 


notices for information on how data is managed and shared. 


O Tribal, State or Local Agencies: Describe the Tribal, state or local agencies and how 
the data will be used. 


O Contractor: Describe the contractor and how the data will be used. 


O Other Third Party Sources: Describe the third party source and how the data will be 
used. 


. Do individuals have the opportunity to decline to provide information or to consent 
to the specific uses of their PII? 


O Yes: Describe the method by which individuals can decline to provide information or 
how individuals consent to specific uses. 
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O No: State the reason why individuals cannot object or why individuals cannot give or 
withhold their consent. 


The DOI legacy EHRI infrastructure has been decommissioned. The OPM application 
software and data were migrated to an OPM managed site. As a result, PII is no longer 


being collected or hosted in this legacy environment. 


G. What information is provided to an individual when asked to provide PII data? 
Indicate all that apply. 


O Privacy Act Statement: Describe each applicable format. 
O Privacy Notice: Describe each applicable format. 

O Other: Describe each applicable format. 

None 


H. How will the data be retrieved? List the identifiers that will be used to retrieve 
information (e.g., name, case number, etc.). 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned. The 
OPM application software and data were migrated to an OPM managed site. As a result, 
PII is no longer being hosted in this legacy environment. 

I. Will reports be produced on individuals? 


O Yes: What will be the use of these reports? Who will have access to them? 


K No 


Section 3. Attributes of System Data 


A. How will data collected from sources other than DOI records be verified for 
accuracy? 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned. The 
OPM application software and data were migrated to an OPM managed site. As a result, 
PII is no longer being hosted in this legacy environment. 
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B. How will data be checked for completeness? 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned. The 
OPM application software and data were migrated to an OPM managed site. As a result, 
PII is no longer being hosted in this legacy environment. 


C. What procedures are taken to ensure the data is current? Identify the process or 
name the document (e.g., data models). 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned. The 
OPM application software and data were migrated to an OPM managed site. As a result, 
PII is no longer being collected or hosted in this legacy environment. 


D. What are the retention periods for data in the system? Identify the associated 
records retention schedule for the records in this system. 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned. The 
OPM application software and data were migrated to an OPM managed site. As a result, 
PII is no longer being hosted in this legacy environment. 


E. What are the procedures for disposition of the data at the end of the retention 
period? Where are the procedures documented? 


The DOI legacy EHRI infrastructure has been decommissioned. The OPM application 
software and data belong to OPM and were migrated to an OPM managed site. As a 
result, PII is no longer being hosted in this legacy environment. 


Server hard drives will remain within the DOI Data Center organizational control until 
destroyed on site. SAN storage in the DOI data centers will be professionally disposed of 
in accordance with NIST guidelines. Storage devices will be excessed and drives will be 
shredded in accordance with DOI policy or will receive sanitization, verification, and 
certification services. All tapes will remain within the DOI Data Center’s organizational 
control and will be shredded based on DOI policies and procedures. Approved methods 
include shredding or pulping paper records, and degaussing or erasing for electronic 
records, in accordance with NARA Guidelines and 384 Departmental Manual 1. 


F. Briefly describe privacy risks and how information handling practices at each stage 
of the “information lifecycle” (i.e., collection, use, retention, processing, disclosure 
and destruction) affect individual privacy. 


The DOI legacy EHRI infrastructure has been decommissioned. The OPM application 
software and data were migrated to an OPM managed site. As a result, PII is no longer 
being hosted in this legacy environment. The hosted applications and data belong to 
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OPM, and OPM conducted privacy impact assessments to assess the risks for the OPM 
owned applications. 


There is a limited privacy risk for the decommissioning of the DOI legacy EHRI 
infrastructure related to potential unauthorized access or mishandling of the residual data 
that remains in the legacy EHRI GSS before it can be destroyed. DOI will shred both the 
SAN storage and the backup tapes in accordance with DOI policy to mitigate this risk. 
DOI has implemented adequate physical, administrative and logical controls to protect 
the devices, equipment and any residual data from unintended or unauthorized access. 
Prior to excessing, the residual data will be located on the SAN devices and tape backups 
under the control of DOI, and will be located in secured DOI controlled facilities that are 
monitored 24 hours a day and are limited to authorized personnel with PIV card and 
password. 


Section 4. PIA Risk Review 


A. Is the use of the data both relevant and necessary to the purpose for which the 
system is being designed? 


O Yes: Explanation 
No 


B. Does this system or electronic collection derive new data or create previously 
unavailable data about an individual through data aggregation? 


O Yes: Explain what risks are introduced by this data aggregation and how these risks 
will be mitigated. 


No 
C. Will the new data be placed in the individual’s record? 


O Yes: Explanation 
No 


D. Can the system make determinations about individuals that would not be possible 
without the new data? 


O Yes: Explanation 
No 
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. How will the new data be verified for relevance and accuracy? 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned, and the 
OPM software applications and data were migrated to an OPM managed site. 


. Are the data or the processes being consolidated? 


O Yes, data is being consolidated. Describe the controls that are in place to protect the 
data from unauthorized access or use. 


O Yes, processes are being consolidated. Describe the controls that are in place to 
protect the data from unauthorized access or use. 


No, data or processes are not being consolidated. 


. Who will have access to data in the system or electronic collection? Indicate all that 
apply. 


O Users 

O Contractors 

O Developers 

O System Administrator 
Other: Describe 


The DOI legacy EHRI infrastructure has been decommissioned, and the OPM software 
applications and data were migrated to an OPM managed site. PII is no longer hosted in 
the EHRI GSS. 


. How is user access to data determined? Will users have access to all data or will 
access be restricted? 


The DOI legacy EHRI infrastructure has been decommissioned, and the OPM software 
applications and data were migrated to an OPM managed site. PII is no longer hosted in 
the EHRI GSS. Only authorized DOI personnel have access to the equipment and 
residual data pending destruction. 


Are contractors involved with the design and/or development of the system, or will 
they be involved with the maintenance of the system? 


Yes. Were Privacy Act contract clauses included in their contracts and other 
regulatory measures addressed? 


Privacy clauses are included in the contract. 
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O No 


. Is the system using technologies in ways that the DOI has not previously employed 


(e.g., monitoring software, SmartCards or Caller ID)? 


O Yes. Explanation 
No 


. Will this system provide the capability to identify, locate and monitor individuals? 


O Yes. Explanation 
No 


. What kinds of information are collected as a function of the monitoring of 
individuals? 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned, and the 
OPM software applications and data were migrated to an OPM managed site. 


. What controls will be used to prevent unauthorized monitoring? 


Not applicable. The DOI legacy EHRI infrastructure has been decommissioned, and the 
OPM software applications and data were migrated to an OPM managed site. 


. How will the PII be secured? 
(1) Physical Controls. Indicate all that apply. 


Security Guards 

O Key Guards 

O Locked File Cabinets 
Secured Facility 
Closed Circuit Television 
O Cipher Locks 
Identification Badges 
O Safes 

O Combination Locks 
Locked Offices 
Other. Describe 


The DOI legacy EHRI infrastructure has been decommissioned, and the OPM 
software applications and data were migrated to an OPM managed site. DOI’s legacy 
EHRI infrastructure is now decommissioned, the data, system and software are 
migrated to OPM managed site. The SAN devices and tape backups are under the 
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control of DOI until they are destroyed, and are located in a secured DOI controlled 
facility that is monitored 24 hours a day and requires a PIV card and password to 
enter. 


(2) Technical Controls. Indicate all that apply. 


Password 

Firewall 

Encryption 

User Identification 

O Biometrics 

Intrusion Detection System (IDS) 

Virtual Private Network (VPN) 

Public Key Infrastructure (PKI) Certificates 
Personal Identity Verification (PIV) Card 
O Other. Describe 


(3) Administrative Controls. Indicate all that apply. 


Periodic Security Audits 

Backups Secured Off-site 

Rules of Behavior 

Role-Based Training 

Regular Monitoring of Users’ Security Practices 

Methods to Ensure Only Authorized Personnel Have Access to PII 
Encryption of Backups Containing Sensitive Data 

Mandatory Security, Privacy and Records Management Training 
O Other. Describe 


O. Who will be responsible for protecting the privacy rights of the public and 
employees? This includes officials responsible for addressing Privacy Act 
complaints and requests for redress or amendment of records. 


The Hosting Services Branch Chief, Office of the Secretary, serves as the EHRI 
Information System Owner and the official responsible for oversight and management of 
the EHRI security controls. The Information System Owner is responsible for ensuring 
adequate safeguards are implemented to protect privacy in compliance with Federal laws 
and policies for the equipment and any residual data retired and disposed of in EHRI. 
The DOI legacy EHRI infrastructure has been decommissioned, and the OPM systems 
and data were migrated to an OPM managed site. 
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. Who is responsible for assuring proper use of the data and for reporting the loss, 
compromise, unauthorized disclosure, or unauthorized access of privacy protected 
information? 


The EHRI Information System Owner is responsible for oversight and management of 
the EHRI security and privacy controls, and for ensuring to the greatest possible extent 
that access to data has been granted in a secure and auditable manner, and the 
decommissioned equipment and any residual data is destroyed in a secure and approved 
manner in accordance with DOI policy. The Information System Owner is also 
responsible for ensuring that any compromise, unauthorized access or use of data is 
reported to DOI-CIRC within 1-hour of discovery in accordance with Federal policy and 
established DOI procedures. 
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